Ledger, a cryptocurrency platform that offers a secure hardware wallet, has suffered a massive data breach. As a result, personal information of around 270,000 customers has been dumped on a hacker forum for free and has led to a tsunami of phishing attacks.
The data dump that belonged to a breach in June was posted on RaidForums, a marketplace for sharing hacked information. It contains names, email ID, physical address and phone number. Ledger admitted to the data breach in July, saying that personal information of only 9,500 customers was compromised. However, as they anticipated that the breach might have included information of many more customers, it turned out to be true. According to the dump, apart from 270K customers' information, email addresses of over 1 million people, who subscribed to Ledger newsletters, had also been posted.
"Today we were alerted to the dump of the contents of a Ledger customer database on RaidForum. We are still confirming, but early signs tell us that this indeed could be the contents of our e-commerce database from June 2020," Ledger said in a statement.
Massive Phishing Campaign
With every data breach, the risk of phishing attacks increases. The Ledger breach was no different. As cybersecurity experts noticed Ledger data being sold on other hacker forums since October 2020, many reported receiving spam emails asking them to verify KYC among others.
However, with the latest dump, the rate of such phishing attacks has increased by manyfold. On Sunday and Monday, many users reported receiving emails and text messages. In some emails, malicious actors imitated official email from Ledger intending to disclose a data breach. Some emails also asked users to download a new version of Ledger Live to secure their wallets with a new PIN, BleepingComputer reported.
"scammers are going wild. Sending fake emails pretending to be Ledger apologizing for the data leak and phishing you to install "latest version". BEWARE!!" one user posted on Twitter.
Ledger apologized for the data breach and phishing attack saying that since the incident, the company had strengthened its data security. "It is a massive understatement to say we sincerely regret this situation. We take privacy extremely seriously. Avoiding situations like this are a top priority for our entire company, and we have learned valuable lessons from this situation which will make Ledger even more secure," the company said, adding that since the breach it had taken down over 170 phishing websites.
What Should You Do?
Many scammers claiming to be from Ledger may ask for your 24-phrase Ledger recovery password, you should never disclose it to anyone or any website mentioned in such emails. The 24-digit phrase should only be entered on a Ledger device. Ignore any email or postal mail you might have received and contact Ledger customer support.
"Never share the 24 words of your recovery phrase with anyone, even if they are pretending to be a representative of Ledger. Ledger will never ask you for them. Ledger will never contact you via text messages or phone call," the company said in a tweet.